[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slapd issue
Philip Bellino wrote:
Hello,
I am running slapd(openldap-2.3.32) on a linux host. I am also running
openldap-2-32-3 on a linux client.
If I use the "allow_bind_v2" switch in the slapd.conf file, I can do
anonymous simple binds from the client to the server over TCP with no
problems. I can also do simple login/password authentication with no
problems.
Anonymous Simple Binds are allowed regardless of the "allow_bind_v2" option.
As its name implies, that option only controls whether to accept Binds that
specify LDAPv2. That option defaults to off and generally should stay off.
LDAPv3 has been around for 10 years already and LDAPv2 was officially retired
4 years ago; there's no good reason for anybody to still be using it now.
I now an trying to use v3 secure connections. When I attempt to
authenticate, I get the following errors from the slapd logs (in bold):
TLS trace: SSL_accept:SSLv3 flush data
*tls_read: want=5 error=Resource temporarily unavailable*
*TLS trace: SSL_accept:error in SSLv3 read client certificate A*
*TLS trace: SSL_accept:error in SSLv3 read client certificate A*
This error was ignored by slapd, otherwise the log would have shown the
connection being closed here. This behavior is normal, since you didn't
require client certificate verification.
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
daemon: epoll: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read active on 14
connection_get(14)
connection_get(14): got connid=0
connection_read(14): checking for input on id=0
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
*TLS trace: SSL3 alert read:fatal:unknown CA*
*TLS trace: SSL_accept:failed in SSLv3 read client certificate A*
*TLS: can't accept.*
*TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1057*
*connection_read(14): TLS accept failure error=-1 id=0, closing*
connection_closing: readying conn=0 sd=14 for close
connection_close: conn=0 sd=14
This shows that the client sent an "unknown CA" message to the server and
that the client considered it a fatal error, and closed the connection.
It loks to me as is slapd is trying to read the client certificate even
though my slapd.conf file entry "*TLSVerifyClient never*" is set. I am
new to this all, so I do not know if I am interpreting this correctly or
not.
That is not the important part of the trace.
Any help would be most appreciated.
Read the Admin Guide section on Using TLS.
http://www.openldap.org/doc/admin23/tls.html
Thanks,
Phil Bellino
============================
Phil Bellino
MRV Communications, Inc.
Boston Product Division
295 Foster St.
Littleton,MA 01460
Tel: (978)952-4807
Email: pbellino@mrv.com
============================
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
Chief Architect, OpenLDAP http://www.openldap.org/project/